{"id":"RHSA-2026:7350","summary":"Red Hat Security Advisory: nodejs:24 security update","modified":"2026-04-17T10:09:02Z","published":"2026-04-10T10:09:15Z","upstream":["CVE-2026-1525","CVE-2026-1526","CVE-2026-1527","CVE-2026-1528","CVE-2026-21637","CVE-2026-21710","CVE-2026-21711","CVE-2026-21712","CVE-2026-21713","CVE-2026-21714","CVE-2026-21715","CVE-2026-21716","CVE-2026-21717","CVE-2026-2229","CVE-2026-25547","CVE-2026-2581","CVE-2026-26996","CVE-2026-27135"],"references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:7350"},{"type":"ARTICLE","url":"https://access.redhat.com/security/updates/classification/#important"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2431340"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2436942"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2441268"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447140"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447141"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447142"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447143"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447144"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2447145"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2448754"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453037"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453151"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453152"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453157"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453158"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453160"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453161"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2453162"},{"type":"ADVISORY","url":"https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_7350.json"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-1525"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-1525"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1525"},{"type":"ARTICLE","url":"https://cna.openjsf.org/security-advisories.html"},{"type":"ARTICLE","url":"https://cwe.mitre.org/data/definitions/444.html"},{"type":"ARTICLE","url":"https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm"},{"type":"ARTICLE","url":"https://hackerone.com/reports/3556037"},{"type":"ARTICLE","url":"https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-1526"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-1526"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1526"},{"type":"ARTICLE","url":"https://datatracker.ietf.org/doc/html/rfc7692"},{"type":"ARTICLE","url":"https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q"},{"type":"ARTICLE","url":"https://hackerone.com/reports/3481206"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-1527"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-1527"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1527"},{"type":"ARTICLE","url":"https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq"},{"type":"ARTICLE","url":"https://hackerone.com/reports/3487198"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-1528"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-1528"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1528"},{"type":"ARTICLE","url":"https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj"},{"type":"ARTICLE","url":"https://hackerone.com/reports/3537648"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-2229"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-2229"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2229"},{"type":"ARTICLE","url":"https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8"},{"type":"ARTICLE","url":"https://hackerone.com/reports/3487486"},{"type":"ARTICLE","url":"https://nodejs.org/api/zlib.html#class-zlibinflateraw"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-2581"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-2581"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2581"},{"type":"ARTICLE","url":"https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h"},{"type":"ARTICLE","url":"https://hackerone.com/reports/3513473"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-21637"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-21637"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21637"},{"type":"ARTICLE","url":"https://nodejs.org/en/blog/vulnerability/december-2025-security-releases"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-21710"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-21710"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21710"},{"type":"ARTICLE","url":"https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-21711"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-21711"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21711"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-21712"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-21712"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21712"},{"type":"ARTICLE","url":"https://hackerone.com/reports/3546390"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-21713"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-21713"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21713"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-21714"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-21714"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21714"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-21715"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-21715"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21715"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-21716"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-21716"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21716"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-21717"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-21717"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21717"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-25547"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-25547"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25547"},{"type":"ARTICLE","url":"https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-26996"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-26996"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26996"},{"type":"ARTICLE","url":"https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5"},{"type":"ARTICLE","url":"https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26"},{"type":"REPORT","url":"https://access.redhat.com/security/cve/CVE-2026-27135"},{"type":"ADVISORY","url":"https://www.cve.org/CVERecord?id=CVE-2026-27135"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27135"},{"type":"ARTICLE","url":"https://github.com/nghttp2/nghttp2/commit/5c7df8fa815ac1004d9ecb9d1f7595c4d37f46e1"},{"type":"ARTICLE","url":"https://github.com/nghttp2/nghttp2/security/advisories/GHSA-6933-cjhr-5qg6"}],"affected":[{"package":{"name":"nodejs","ecosystem":"Red Hat:enterprise_linux:9::appstream","purl":"pkg:rpm/redhat/nodejs"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:24.14.1-2.module+el9.7.0+24166+51c9666b"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7350.json"}},{"package":{"name":"nodejs-debuginfo","ecosystem":"Red Hat:enterprise_linux:9::appstream","purl":"pkg:rpm/redhat/nodejs-debuginfo"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:24.14.1-2.module+el9.7.0+24166+51c9666b"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7350.json"}},{"package":{"name":"nodejs-debugsource","ecosystem":"Red Hat:enterprise_linux:9::appstream","purl":"pkg:rpm/redhat/nodejs-debugsource"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:24.14.1-2.module+el9.7.0+24166+51c9666b"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7350.json"}},{"package":{"name":"nodejs-devel","ecosystem":"Red Hat:enterprise_linux:9::appstream","purl":"pkg:rpm/redhat/nodejs-devel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:24.14.1-2.module+el9.7.0+24166+51c9666b"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7350.json"}},{"package":{"name":"nodejs-docs","ecosystem":"Red Hat:enterprise_linux:9::appstream","purl":"pkg:rpm/redhat/nodejs-docs"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:24.14.1-2.module+el9.7.0+24166+51c9666b"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7350.json"}},{"package":{"name":"nodejs-full-i18n","ecosystem":"Red Hat:enterprise_linux:9::appstream","purl":"pkg:rpm/redhat/nodejs-full-i18n"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:24.14.1-2.module+el9.7.0+24166+51c9666b"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7350.json"}},{"package":{"name":"nodejs-libs","ecosystem":"Red Hat:enterprise_linux:9::appstream","purl":"pkg:rpm/redhat/nodejs-libs"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:24.14.1-2.module+el9.7.0+24166+51c9666b"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7350.json"}},{"package":{"name":"nodejs-libs-debuginfo","ecosystem":"Red Hat:enterprise_linux:9::appstream","purl":"pkg:rpm/redhat/nodejs-libs-debuginfo"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:24.14.1-2.module+el9.7.0+24166+51c9666b"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7350.json"}},{"package":{"name":"nodejs-nodemon","ecosystem":"Red Hat:enterprise_linux:9::appstream","purl":"pkg:rpm/redhat/nodejs-nodemon"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:3.0.3-3.module+el9.7.0+24166+51c9666b"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7350.json"}},{"package":{"name":"nodejs-packaging","ecosystem":"Red Hat:enterprise_linux:9::appstream","purl":"pkg:rpm/redhat/nodejs-packaging"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:2021.06-6.module+el9.7.0+24166+51c9666b"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7350.json"}},{"package":{"name":"nodejs-packaging-bundler","ecosystem":"Red Hat:enterprise_linux:9::appstream","purl":"pkg:rpm/redhat/nodejs-packaging-bundler"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0:2021.06-6.module+el9.7.0+24166+51c9666b"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7350.json"}},{"package":{"name":"npm","ecosystem":"Red Hat:enterprise_linux:9::appstream","purl":"pkg:rpm/redhat/npm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:11.11.0-1.24.14.1.2.module+el9.7.0+24166+51c9666b"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7350.json"}},{"package":{"name":"v8-13.6-devel","ecosystem":"Red Hat:enterprise_linux:9::appstream","purl":"pkg:rpm/redhat/v8-13.6-devel"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3:13.6.233.17-1.24.14.1.2.module+el9.7.0+24166+51c9666b"}]}],"database_specific":{"source":"https://security.access.redhat.com/data/osv/RHSA-2026:7350.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}